Amazon Kinesis Data Firehose for detail logging in AWS WAF

Amazon Web Services (AWS) provides various tools which you can use to monitor AWS WAF (Web Application Firewall).
In our previous blog, we have seen how we can centrally configure and manage AWS WAF rules across multiple accounts and applications using AWS Firewall Manager.
AWS now provides a new service for detailed logging called Amazon Kinesis Data Firehose,  which is a fully managed service for delivering real-time streaming data to destinations such as Amazon Simple Storage Service (Amazon S3), Amazon Redshift, Amazon Elasticsearch Service (Amazon ES), and Splunk.
Amazon Kinesis Data Firehose stores all logs in the S3 bucket. These detailed logs give us more information about why certain rules are triggered and why certain rules are blocked with our specific ACL (Access Control List) rules.
For Amazon S3 destinations, streaming data is delivered to your S3 bucket. If data transformation is enabled, you can optionally back up source data to another Amazon S3 bucket.This is done in two steps assuming WAF is already implemented (if not, first implement WAF with the help of our blog):

  1. Adding Kinesis Data Firehose stream and choosing the destination for the data from Amazon S3, Amazon Elasticsearch, and Amazon Redshift.
  2. From existing WAF configurations, and enabling detailed logs using Firehose instance.

Implementation
Follow these steps for implementing Amazon Kinetic Data Firehose:

  1. Select ‘Kinesis Data Firehose’ for a new instance.
  1. Add a unique name for Firehose
  1. Choose a source to send records to the delivery stream
  1. Transform source records
  1. Convert record format
  1. Select the destination
  1. Configure all setting as per our requirement for the S3 bucket and select ‘Enabled’
  1. Create IAM role with the following policy :

With the name firehose_delivery_role

  • iam:CreateServiceLinkedRole
  • firehose:ListDeliveryStreams
  • firehose:PutLoggingConfiguration

Select created IAM role firehose_delivery_role in the Kinesis Data Firehose instance creation

  1. Review all configurations and create a delivery stream

Finally, you will able to see the active firehose in the console.

  1. Enable logging

Navigate to the WAF console, choose the region where the WAF is configured in the Logging tab and configure the section for ‘Enable Logging’.We should now be seeing detail logging in Kinesis service:For testing our setup, we can use demo dataThat’s it. Have you already configured and started using Amazon Kinesis Data Firehose? What challenges did you face? What did you learn? If you need help, please leave a comment below and an AWS expert will get in touch with you.

Share this post

Table of Contents